The Internet of Things (IoT) is on an explosive growth trajectory. According to Transforma Insights, the number of IoT-connected devices is projected to increase to 24.1 billion worldwide by 2030. That’s almost a three-fold increase from 2019.

Much of this growth will be fueled by the coming 5G revolution, which will enable businesses and consumers to take advantage of a wide range of increasingly sophisticated connected devices, including wearables, security cameras, smart speakers, industrial sensors, connected vehicles and more.

But for all the value that these new IoT devices and applications are expected to bring to consumers and businesses, some fundamental challenges within the IoT ecosystem still need to be addressed. Securely scaling is one of the biggest challenges, given the growth projections for IoT adoption.

Today’s IoT is based on a hard-coded reference model, which makes it very similar to the way the Internet was 50 years ago. In those early days, the Internet was entirely hard-coded, too. Tens of thousands of hosts and their corresponding IP addresses were stored in a single hosts file. It remained this way for another 20 years until we developed the modern domain name system (DNS), a key innovation that enabled the Internet to grow on a massive scale.

To extend the comparison, domain names are a lot like IoT devices. A domain name has a registrant, and the registrant can point that domain to any website on the Internet. For example, if I buy the “example.ca” domain, we can point it to a website that’s all about me, or I can point it to another site that’s about something else altogether. It’s completely up to me.

A generic IoT device also has an owner, and the owner can theoretically make it work with any application. If I have a security sensor on my front door, for example, I can point it to any security service I like, whether it’s ADT, AlarmForce or some other provider. Again, it’s up to me.

The difference is that pointing a domain name to a different website is very simple. In contrast, the IoT’s hard-coded model makes associating an IoT device to a new application very challenging, if not impossible.

Here’s an example that illustrates the scope of this challenge. Imagine that the City of Ottawa buys thousands of smart, internet-connected parking meters that it deploys around the city. And imagine that these meters are all connected to a fictional application provider called ParkoServ. Each meter has an eSIM card installed in it that is hard-coded to work with ParkoServ only.

If at some point in the future the city’s IT department wants to take advantage of a more cost-effective and technologically superior solution offered by another provider (let’s call it CarParkServ), there’s no easy, secure way for them to do it.

Instead, if they want to make the switch, IT staff will have to locate and manually configure thousands of hard-coded parking meters individually to associate them with CarParkServe. It’s not hard to see that this approach is incredibly labour-intensive, time-consuming, error-prone and expensive.

What if, on the other hand, the city’s IT department could automate the process in a “zero-touch” manner of switching to the new application provider while ensuring that it was done securely?

This is where the Secure IoT Registry we’re developing at CIRA Labs comes in (see our Git repository here). The Secure IoT Registry is an innovative GSMA IoT Safe framework implementation that will allow the world’s mobile eSIM enabled IoT devices to seamlessly and securely connect between any manufacturer, owner, service provider and network operator.

Going back to our parking meter example, the Registry would sit between the parking meters, the application providers, and the wireless mobile networks. To start the process of reconfiguring the parking meters to talk to the CarParkServe system, the Secure IoT Registry would gather all the relevant information about each parking meter, the wireless provider and the new application provider, and the eSIM unique identification number.

Using this information, it would then generate a unique security certificate for each parking meter (on the eSIM). By adding end-to-end encryption to the unique private and public keys, the Secure IoT Registry protects the zero-touch provisioning process against malicious “man in the middle” attacks and any mobile network operator meddling.

To complete the process, it would send these encrypted credentials electronically to the parking meter via a wireless mobile network operator, and the switchover would be complete. All the parking meters would now be connected to the new CarParkService application. You can get more detail about the technology under the hood here.

The zero-touch approach enabled by the Secure IoT Registry is seamless, secure, requires minimal effort on the part of the IT department, and is highly cost-effective. What’s more, if the city ever needs to switch to a different application provider in the future, the process will be the same.

Looking at the big picture, this is the ideal IoT security system that we at CIRA want to see in place in the IoT ecosystem by 2025. In Canada, we are currently working with Blackberry, TELUS, and Solace to road test the application of our platform for medical IoT devices through L-SPARK Global’s MedTech Accelerator.

With the Secure IoT registry, any GSMA IoT SAFE eSIM-equipped, generic IoT device will work with any application. Not only would this help prevent platform/vendor lock-in, but it would also allow the IoT ecosystem to scale exponentially and securely.

It would also allow device manufacturers to focus on developing innovative devices and application developers and cloud service providers to focus on providing IoT services and solutions that provide superior value to their customers.